Bucket policy to whitelist a specific IAM role

Question

I have a bucket policy which looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::test-bucket/*"
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::test-bucket/*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/status": "INFECTED"
                },
                "StringNotLike": {
                    "aws:SourceArn": "arn:aws:sts::1234567890:assumed-role/ecs_task_role/*"
                }
            }
        }
    ]
}

What I want is something like this:

If the s3 object has a tag with the key-value status=INFECTED, then restrict access to the public, unless you are using this iam role arn:aws:iam::1234567890:role/ecs_task_role. So any system(container here) which assumes this iam role should be able to access the bucket contents regardless of what tag the objects in it has.

I've seen that my ecs tasks assume this role and its role arn then looks something like this: arn:aws:sts::1234567890:assumed-role/ecs_task_role/e7f2364b-c93d-4228-9259-1a59bdf2d201.

So I've used the wildcard StringNotLike operator to whitelist the requests coming from my ecs tasks.

But for some reason this doesn't work. My ecs tasks are getting 403 access denied's when trying to download objects from the bucket with the tag status: INFECTED. What am I missing here? And more importantly, What do I need to change to make this access control logic work?

Thanks in advance!

Answer 1

Life is much simpler without using Deny.

It appears you have two requirements:

• Block public access for 'INFECTED' objects
• Grant access to the IAM Role

This can be broken down into two components:

• A Bucket Policy that grants access to non-INFECTED objects
• A policy on the IAM Role that grants access to the bucket (regardless of the metadata)

In the bucket policy, you should use NotStringEquals to check for the tag (that is, grant permission where that tag is not found). This limits the Allow without having to use a Deny.

{
    "Version": "2012-10-17",
    "Id": "AllowNonInfected",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::stack-woodstock/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:ExistingObjectTag/status": "INFECTED"
                }
            }
        }
    ]
}